Kerberos Java到使用JAAS Configuration进行impala keytab身份验证

时间:2019-06-21 12:24:30

标签: hadoop kerberos jdbctemplate jaas keytab

我正在尝试使用kerberos KeyTab身份验证和JAAS配置连接到Impala DB。

我已经可以通过将系统属性-“ java.security.auth.login.config”设置为JAAS配置文件来连接到Impala DB。而且效果很好。这是工作代码:

System.setProperty("sun.security.krb5.debug", "false");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "true");
System.setProperty("java.security.krb5.conf", krb5ConfPath);
System.setProperty("java.security.auth.login.config", jaasPath);

org.apache.hadoop.conf.Configuration conf = new org.apache.hadoop.conf.Configuration();
conf.set("hadoop.security.authentication", "kerberos");

UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(principal, keyTabPath);

DataSourceBuilder dataSourceBuilder = DataSourceBuilder.create(DatabaseConfig.class.getClassLoader());
return dataSourceBuilder.build();

问题是JAAS配置需要密钥表文件的绝对路径。就我而言,此路径将因环境而异,我不想为每个环境维护不同的jaas.config。

因此,我采用了编程方式来生成JAAS配置。我能够创建“ javax.security.auth.login.Configuration”对象并使用
进行设置 javax.security.auth.login.Configuration.setConfiguration(jaasConfig);

但是当我使用此更改运行代码时,它无法选择JAAS配置,并且失败,并出现以下异常:

  

无法获得JDBC连接;嵌套异常为   java.sql.SQLException:[Simba] ImpalaJDBCDriver错误   使用票证缓存创建登录上下文:无法获取主体   认证名称。

请问谁能解释为什么通过System属性设置配置时代码可以正常运行,而通过编程方式设置却无法正常工作。

System.setProperty("sun.security.krb5.debug", "false");
System.setProperty("javax.security.auth.useSubjectCredsOnly", "true");
System.setProperty("java.security.krb5.conf", krb5ConfPath);

javax.security.auth.login.Configuration jaasConfig = createJaasConfig(keyTabPath);
             javax.security.auth.login.Configuration.setConfiguration(jaasConfig);

org.apache.hadoop.conf.Configuration conf = new org.apache.hadoop.conf.Configuration();
conf.set("hadoop.security.authentication", "kerberos");

UserGroupInformation.setConfiguration(conf);
UserGroupInformation.loginUserFromKeytab(principal, keyTabPath);

DataSourceBuilder dataSourceBuilder = DataSourceBuilder.create(DatabaseConfig.class.getClassLoader());
return dataSourceBuilder.build();

这就是我创建JAAS Config的方式:

private static javax.security.auth.login.Configuration createJaasConfig(final String keyTabPath) throws Exception {

        // Create entry options.
        Map<String, Object> options = new HashMap<>();
        options.put("useTicketCache", "false");
        options.put("doNotPrompt", "true");
        options.put("useKeyTab", "true");
        options.put("debug", "false");
        // options.put("storeKey", "true");
        options.put("principal", "user@DOMAIN.COM");
        options.put("keyTab", keyTabPath);

        // Create entries
        AppConfigurationEntry[] entries = {
            new AppConfigurationEntry(
                Krb5LoginModule.class.getCanonicalName(),
                AppConfigurationEntry.LoginModuleControlFlag.REQUIRED,
                options
            )
        };

        // Create configuration
        return new javax.security.auth.login.Configuration() {
            @Override
            public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
                return entries;
            }
        };
    }

0 个答案:

没有答案